KEMBAR78
LABSCon 2022 Techniques by moohax · Pull Request #24 · trailofbits/semgrep-rules · GitHub
Skip to content

LABSCon 2022 Techniques #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 26, 2023
Merged

LABSCon 2022 Techniques #24

merged 4 commits into from
Jan 26, 2023

Conversation

moohax
Copy link
Contributor

@moohax moohax commented Dec 31, 2022

New PR for CLA.

Changes:

tf -> tensorflow
np -> numpy

@GrosQuildu GrosQuildu self-requested a review January 3, 2023 10:29
GrosQuildu
GrosQuildu requested changes Jan 3, 2023
View reviewed changes
Copy link
Collaborator

@GrosQuildu GrosQuildu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added metadata to few rules. All rules need similar fields. (We will make CONTRIBUTING file soon with all requirements for new rules).

Left a few comments - some rules can be merged; some have invalid tests.

All tests need improvements:

  • add # ruleid: <name of rule> where the semgrep should find the issue
  • add # ok: <name of rule> where semgrep should not find issue

I am a bit worried about number of false positives - is using all these methods always insecure, or can we filter-out some common false positives (e.g., using hardcoded paths)?

If possible, we can enhance messages with guidance on how to fix the issues - propose more secure alternatives or e.g., sanitizing inputs.

Rules like these can be simplified:

patterns:
    - pattern-either: 
      - pattern: |
      tensorflow.load_op_library($PATH)

with

patterns:
  - pattern: |
    tensorflow.load_op_library($PATH)

Once everything is fixed, run semgrep --test ./

moohax
moohax commented Jan 4, 2023
View reviewed changes
moohax
moohax commented Jan 4, 2023
View reviewed changes
@GrosQuildu
Copy link
Collaborator

To limit false positive, removed detection of hardcoded strings. This is in accordance with similar, official semgrep rules.

Removed:

  • onnx-convert-ort - semgrep doesn't support bash language yet
  • pandas-read-* - reading json/csv is not inherently insecure, it depends form where you get data. There are advanced rules that can track data flow and determine if reading specific file is safe. Consider extending such rule with pandas. I guess CodeQL should be a good match here.
  • pickle-load - already exists r/python.lang.security.deserialization.pickle.avoid-pickle
  • tensorflow-load-op-library - merged with tensorflow-load-op-library

@GrosQuildu GrosQuildu merged commit 0d7345f into trailofbits:main Jan 26, 2023
@GrosQuildu
Copy link
Collaborator

Thanks a lot @moohax ! Finally merged the rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GrosQuildu GrosQuildu GrosQuildu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@moohax @GrosQuildu